Proxy and remote server not responding
Hi all, I'm trying to use FreeRADIUS (version 1.0.0) as a proxy for roaming users using my network. Basically, I need to forward requests to roaming partners and alter requests and responses from those distant servers. I have developped a module that I used in the sections pre-proxy and post-proxy of my configuration file radiusd.conf. So far, it works. Except for the following : when the remote server is not responding (timeout), the post-proxy section of my module doesn't seem to be called. FreeRADIUS is sending a reject to the NAS, but I need to modify this Access-Reject before it is sent. I have the following traces from FreeRADIUS in debug xxx : Wed Sep 22 16:34:06 2004 : Debug: Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host ***:34550, id=185, length=66 Wed Sep 22 16:34:11 2004 : Debug: Ignoring duplicate packet from client ***:34550 - ID: 185, due to outstanding proxied request 0. Wed Sep 22 16:34:11 2004 : Debug: --- Walking the entire request list --- Wed Sep 22 16:34:11 2004 : Debug: Waking up in 1 seconds... Wed Sep 22 16:34:11 2004 : Debug: Threads: total/active/spare threads = 5/0/5 Wed Sep 22 16:34:12 2004 : Debug: --- Walking the entire request list --- Wed Sep 22 16:34:12 2004 : Debug: Server rejecting request 0. Sending Access-Reject of id 185 to ***:34550 Wed Sep 22 16:34:12 2004 : Proxy: marking authentication server ***:1665 for realm orange.fr dead Wed Sep 22 16:34:12 2004 : Debug: Waking up in 0 seconds... Wed Sep 22 16:34:12 2004 : Debug: --- Walking the entire request list --- Wed Sep 22 16:34:12 2004 : Debug: Cleaning up request 0 ID 185 with timestamp 41518d5e Wed Sep 22 16:34:12 2004 : Debug: proxy: de-allocating ac1ae915:1665 0 Wed Sep 22 16:34:12 2004 : Debug: Nothing to do. Sleeping until we see a request. My radiusd.conf contains the following for the proxy sections : pre-proxy { my_module pre_proxy_log } post-proxy { post_proxy_log my_module } Any ideas as why I don't catch the reject before it's sent to the NAS ? Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless Network
Hi all, I'm trying to use freeradius to connect users to a private network or to Internet through an AP of a Wireless LAN. A user gets an account for private network connection or Internet connection. Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? Thanks __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 30 settembre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi. Attivala subito! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication Problem
Hello all, I'm using freeradius to authenticate users to an Active-Directory-Server using perl as authentication method. I managed to get everything working like expected, with the radius server asking the authentication and the correct vlan from the ADS and then afterwards sending it back to an alcatel switch, which then puts the client into the correct vlan. My problem now is, that it is working here in my company environment, but it is not working in the environment of our customer, where i always get this message in the radius log: Thu Sep 23 10:33:43 2004 : Error: Discarding new request from client default:1040 - ID: 50 due to live request 10 Thu Sep 23 10:33:47 2004 : Error: Discarding new request from client default:1040 - ID: 50 due to live request 10 Thu Sep 23 10:33:51 2004 : Error: Discarding new request from client default:1040 - ID: 50 due to live request 10 Thu Sep 23 10:33:55 2004 : Error: rlm_radutmp: NAS default port 3 unknown packet type 15) Thu Sep 23 10:34:10 2004 : Error: WARNING: Unresponsive child (id 1125329600) for request 10 Thu Sep 23 10:34:19 2004 : Auth: Login incorrect: [user/password] (from client default port 3) I have an additional log for the perl part, which still gives back the correct vlan, if a client tries to authenticate. Does anyone have an idea, what kind of problem could exist here? Thanks in advance, Markus Blasl PS: here in our company, we are using one switch and the customer is using a stacked switch, maybe that could cause it?!- (SCHMIEDER it-solutions) Diese E-Mail wurde im Hause SCHMIEDER it-solutions auf Viren kontrolliert. -
Problem with nostrip
Hello, I use freeradius 0.9.3 from fedora core 2 distro. I'd like to use mysql tables to store users information. I test my configuration against User-Name = [EMAIL PROTECTED] proxy.conf listing: realm localhost { type = radius authhost = LOCAL } as I haven't specified nostrip directive I thought radius would query database with User-Name = 'test' but it uses User-Name = '[EMAIL PROTECTED]'. I looked at debug output and I found that 'test' is assigned to Stripped-User-Name, 'localhost' is assigned to Realm but sql module still uses [EMAIL PROTECTED] as User-Name. I tried to add files section like this: files { preproxy_usersfile = ${confgir}/preproxy_users } and place files between REALM and sql in authorize section but the result is the same. radiusd.conf is listed below (I have removed not needed lines to make it shorter). What can be done to correct this problem? proxy_requests = yes $INCLUDE ${confdir}/proxy.conf modules { realm REALM { format = suffix delimiter = @ } detail acct_detail { detailfile = ${radacctdir}/%{Client-IP-Address}/acct-detail-%Y%m%d detailperm = 0600 } detail auth_detail { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id } $INCLUDE ${confdir}/sql.conf } authorize { REALM sql auth_detail } accounting { acct_unique sql acct_detail } Thanks in advance. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + LDAP with crypted PWs?
hi, I think i'm gonna do PEAP + LDAP with MSCHAPv2, and I also have crypted passwords... so what i'm planning to do is a middle step: people will have to authenticate via web the first time, in order to check the password. Then, if its correct the password will be hashed in the air to NT format. This value will be stored in LDAP in the ntpassword (samba schema) attribute. The programming will be in Perl ;) , but it won't be very portable, as it'll be very locale adapted. I've tested it, and freeRadius correctly retrieves the LDAP ntpassword while authorizing, and authenticate with it PEAP+MSCHAPv2 ok against an XP client... isn't it fantastic? (freeRadius, i mean) :) Is my planning usual/correct/anathema ? bye From: Martin Pauly [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PEAP + LDAP with crypted PWs? Date: Wed, 22 Sep 2004 19:35:20 +0200 Reply-To: [EMAIL PROTECTED] Hi everyone, We have shortly migrated our user database to OpenLDAP, keeping the UNIX-crypted passwords. Now I would like to let wireless users authenticate against this LDAP Server. Since we do not have a PKI in place, I have set up an auth chain using PEAP/MSCHAPv2 (you might have guessed from my previous posts). For a first push, I split the chain and tested both LDAP and PEAP with cleartext passwords on the RADIUS side; they both work now. The big question is, of course, how to deal with the encrypted passwords. Any Challenge-Response protocol such as MSCHAPv2 won't quite cut it, unless you imagine fancy stuff like passing the seed for crypt to the client first who can then in turn do the required hash ... So what might be a feasible Option? TTLS has been a second option only so far, since PEAP is already wired into Windows XP -- which is still what most of our users will be running for some time :-| On the other hand, I haven't seen anything like PEAP-PAP so far, but I have seen there is TTLS-PAP and the like. Any suggestions? Thanks, Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free-Radius install on Solaris
Good Day All I have looked for a solution to this, but I haven't been able to find anything that will solve my problem. I am attempting to install Free-Radius on a Solaris 8 box. I have tried 1.0.1 and 0.9.3, but both of the result in a core dump when I attempt to activate the EAP support. For 1.0.1, I also built this version on a linux box and the configuration files from Solaris work without a problem. On the 0.9.3 build I took the configuration files from a working setup and again a core dump. Currently I am building the latest CVS snapshot. Has anyone seen a problem like this in the past of have a possible solution? Thanks Stephen Donovan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + LDAP with crypted PWs?
isn't it fantastic? (freeRadius, i mean) :) Full ack, using freeRadius is fun (even the code itself didn't scare me off, although I had only time to take a short glimpse). I think i'm gonna do PEAP + LDAP with MSCHAPv2, and I also have crypted passwords... so what i'm planning to do is a middle step: people will have to authenticate via web the first time, in order to check the password. Then, if its correct the password will be hashed in the air to NT format. This value will be stored in LDAP in the ntpassword (samba hm, we do this already, except the NT-hashed password is not kept on the UN*X side but immediately passed on to our windows servers. So this _might_ be a way do authenticate our local users. In the long run, we want make this part of DFNRoaming, a yet-to-build-network of german university RADIUS servers proxying each other == use one Account to log on to almost any german university network. This would _probably_ require the password itself. I've tested it, and freeRadius correctly retrieves the LDAP ntpassword while authorizing, and authenticate with it PEAP+MSCHAPv2 ok against an XP client... How do you configure this, i.e. how do you make FreeRadius retrieve the NT-hashed password first? Cheers, Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco_vsa_hack
I don't know how to use CVS but I am learning to do that now. I only tried it on postgresql using Peter Nixon's schema. I only had to do some minor changes. I will post the patch here. Thanks. Kafui Amedzekor --- Apu islam [EMAIL PROTECTED] wrote: Hello Kafui, Is that hack being sent with CVS/Standard distribution ? Does that work with the posgreSQL billing options that are provided ? -apu --- Amedzekor Kafui [EMAIL PROTECTED] wrote: Yes I did write it. Kafui Amedzekor. --- Peter Nixon [EMAIL PROTECTED] wrote: On Friday 06 August 2004 18:19, Amedzekor Kafui wrote: --snip-- Anyway what I am aiming at is to write a hack for quintum gateways so that Quintums sending cisco type accounting packets can use the schema provided by Peter Nixon in src/billing. Has anyone written this already? Thanks. Kafui Amedzekor. Did anyone ever write a Quintum VSA hack? Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding Realm to Accounting Data
Hi, I am running FR 1.0.0 on RedHat9. I have 2 radius servers set up primarily for proxying but we do have some locally managed realms. I have 2 special cases where I need to add realm information to our accounting data. I had been trying this with attr_rewrite with little success. Case 1: ISP ABC.COM proxies auth requests through our radius server either by providing [EMAIL PROTECTED] or by Client-IP-Address. I have a rather complicated regex in my users file that upon an IP match will proxy the request to abc.com's radius server. For end users who provide the realm, it's no big deal, [EMAIL PROTECTED] shows up in the accounting data. How do I add @abc.com to the accounting data for only those users who fall into the proxy by IP case? Case 2: ISP XYZ.COM is only sending us accounting data from a single radius server using radrelay. XYZ.COM is not sending any realm information, only username, NAS-IP-Address, Client-IP-Address etc. How do I add @xyz.com to the incoming accounting data as it comes in (or before getting written to the detail file/database) ? Or is that even the best way to do it? Currently all of the accounting data is going to a detail file as well as a SQL database. We have been running sql statments to add the realm information for abc.com and xyz.com but this has been problematic. At this point everything is running pretty solid. I am proxying nearly 100 domains so I want to make sure I do not screw up the accounting data for the other realms. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
where do I set the shared Secret
I have solaris 8 and am running 1.0.1 I am going to try and get mac address authentication going for my 60+ Ornioco/Avaya Access points. But I cant seen to find where to set the shared secret password for the server. I know mac address's can be easly faked and that there are other ways of doing this, but this is what my bosses want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for each realm
On Mon, 20 Sep 2004, Bad Moh wrote: Hi, How can I configure freeradius to allocate ip address from different pools based on the users realm ? realm1 - 10.1.0.0/16 realm2 - 10.2.0.0/16 etc ... Is it possible ? DEFAULT Realm == first, Pool-Name := first DEFAULT Realm == second, Pool-Name := second The rest, you can find in radiusd.conf and the documentation Thank you in advance. - Cr?ez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Cr?ez votre Yahoo! Mail Le nouveau Yahoo! Messenger est arriv? ! D?couvrez toutes les nouveaut?s pour dialoguer instantan?ment avec vos amis.T?l?chargez GRATUITEMENT ici ! -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: where do I set the shared Secret
On Thu, 2004-09-23 at 15:25, Christopher F. Wilson wrote: I have solaris 8 and am running 1.0.1 I am going to try and get mac address authentication going for my 60+ Ornioco/Avaya Access points. But I cant seen to find where to set the shared secret password for the server. clients.conf Regards, Guus signature.asc Description: This is a digitally signed message part
Re: KRB5 + Freeradius 1.0.1 Problem.
The Auth-Type must match what is in the dictionary (the default dictionaries have Kerberos rather than KRB5) On Wed, 2004-09-22 at 15:21, Kenneth Mix wrote: After upgrading to Freeradius 1.0.1, I am getting an error when trying to authenticate users via Kerberos 5. Below is debug output from an authentication attempt: Ready to process requests. rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:21743, id=239, length=78 User-Name = seliason User-Password = mitchell NAS-Port = 226 NAS-Port-Type = Virtual Calling-Station-Id = XX.XX.XX.XX NAS-IP-Address = XXX.XXX.XXX.XXX Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = seliason, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched seliason at 135 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type KRB5 auth: type KRB5 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_krb5: Attribute User-Password is required for authentication. Cannot use User-Name. modcall[authenticate]: module krb5 returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [seliason] (from client CIDR port 226 cli xx.XX.XX.X) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Does anybody have any ideas on how I might resolve this issue? Thanks, Ken Mix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Network
[EMAIL PROTECTED] wrote: Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? Set up routing on the AP for the private network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication Problem
Markus Blasl [EMAIL PROTECTED] wrote: My problem now is, that it is working here in my company environment, but it is not working in the environment of our customer, where i always get this message in the radius log: Thu Sep 23 10:33:43 2004 : Error: Discarding new request from client default:1040 - ID: 50 due to live request 10 Please use google to find similar error messages on this list. The problem is that the server is blocking somehow. The solution, as always, is to run it in debug mode. Thu Sep 23 10:34:10 2004 : Error: WARNING: Unresponsive child (id 1125329600) for request 10 That message should make it clear as to what the problem is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with nostrip
George Chelidze [EMAIL PROTECTED] wrote: as I haven't specified nostrip directive I thought radius would query database with User-Name = 'test' but it uses User-Name = '[EMAIL PROTECTED]'. I looked at debug output and I found that 'test' is assigned to Stripped-User-Name, 'localhost' is assigned to Realm but sql module still uses [EMAIL PROTECTED] as User-Name. Please read sql.conf, and look for sql_user_name Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and remote server not responding
Chaigneau Nicolas [EMAIL PROTECTED] wrote: Except for the following : when the remote server is not responding (timeout), the post-proxy section of my module doesn't seem to be called. FreeRADIUS is sending a reject to the NAS, but I need to modify this Access-Reject before it is sent. The server can't do that right now. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + LDAP with crypted PWs?
hi, Well, our aim is to store the ntpassword field in... a win2k Active Directory ... it is an ldap server, isn't it? I've checked plain auth against AD, and it runs ok ;) But i'll have to extend its schema in order to use ntpassword, and it'll take some time (and headaches ?). You don't have to do too much in order to use ntpassword: extend your ldap schema to allow it (samba schema), and just configure freeradius to use your ldap: from logs, i've seen that freeradius detects the ntpassword field while doing the ldap authorization, and retrieves it, so it's available when doing eap mschap2 authentication. At least, it works... bye From: Martin Pauly [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: PEAP + LDAP with crypted PWs? crypted passwords... so what i'm planning to do is a middle step: people will have to authenticate via web the first time, in order to ch= eck the password. Then, if its correct the password will be hashed in the a= ir to NT format. This value will be stored in LDAP in the ntpassword (samb= a hm, we do this already, except the NT-hashed password is not kept on the = UN*X=20 side but immediately passed on to our windows servers. So this _might_ be a way do authenticate our local users. In the long run, we want make this= part of DFNRoaming, a yet-to-build-network of german university RADIUS servers proxying each other =3D=3D use one Account to log on to almost any germa= n=20 university network. This would _probably_ require the password itself. I've tested it, and freeRadius correctly retrieves the LDAP ntpassword = while authorizing, and authenticate with it PEAP+MSCHAPv2 ok against an XP=20 client... How do you configure this, i.e. how do you make FreeRadius retrieve the N= T-hashed password first? Cheers, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
username authentication
I am using freeradius with a mysql backend, working beautifully with multiple realms. From one of my nas clients as defined in clients.conf, but not the other nas clients, I would like to authenticate any VALID user, regardless of password. If this was a seperate realm, I would be good, but I don't know how to do it for a specific client. Please note that I don't want to allow just any username and password combo, but only active users as they appear in the mysql database. Also note that this is not a seperate realm, but a seperate client. Other clients that authenticate in this realm still need to match username and password. What needs to happen for this to be done? Thanks in advance for any help you can give. -- John Hogenmiller, kb3dfz HSource, LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello everyone: I want to register phone and authenticate users through RADIUS. meaning lets say, I first want to register a phone , which does not have a password and then if that goes through I want to authenticate the username and password. Is it possible to implement this on RADIUS ?If so , please tell me how. Regards -- Muhammad Omer Adhia 3A Computer Engineering University of Waterloo This mail sent through www.mywaterloo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Segmentation Fault on freeradius 1.0.0
I do, but I have the various builds isolated from each other in their own trees. I tried renaming the old tree (0.9.3) and zeroing out its permissions but I still get that segfault. I even get it with this build of 1.0.1 I did just now. -- Mark Hennessy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 30, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: Re: Segmentation Fault on freeradius 1.0.0 Mark Hennessy [EMAIL PROTECTED] wrote: I have followed the instructions provided to the other list subscriber = and here is my gdb output. sql_mysql.c:71 71 memset(mysql_sock, 0, sizeof(*mysql_sock)); (gdb) bt #0 0x283b0a54 in sql_init_socket (sqlsocket=3D0x81903c0, = config=3D0x80bc400) at sql_mysql.c:71 Weird. Are you sure you don't have two different versions of the server on the same machine? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting errors with pppd
We are running freeradius 1.0.0 on an AMD box. We are authenticating PPD session on the local machine. PPP Users are getting authenticated and allowed through the box: however, when the PPP session goes down PPP is not clearing them in RadAcct. They are allowed back in, and a radwho shows two sessions for the same user, but a ps on the system only shows the current actually up connection. I have the same version of freeradius running on another box talking to Portmasters and 6096 boxes with no issues. It's only when it's authenticating PPP. Any thoughts or hints would be appreciated Other Data: Mandrake 10.0 with all security patches Marco scratching his head. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault in radrelay on FR 1.0.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I sent radrelay a TERM and saw that there were a few records left in the detail file that needed to be pushed. Installed version 1.0.1, and radrelay kept segfaulting when trying to start. Running through gdb, I tracked it down to an invalid entry in the radrelay detail file. The entry it died on was: Framed-Protocol = MP Looks like version 1.0.1 changed some of the Framed-Protocol values in dictionary.ascend. MP changed to Ascend-MP. There are other changes, but this is the one that was causing me trouble. Changing all instances of MP to Ascend-MP allowed radrelay to run again without a problem. Just thought I'd mention it for those people upgrading to version 1.0.1. Kevin Bonner -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBUxJ7/9i/ml3OBYMRAiSAAJ9qU7H8dQFJmO4IaNvPJPZnIb1V4ACeN5hu QWHoVDKoeZpg/9Twz3k4QM0= =pnXC -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: where do I set the shared Secret
If you have the default install: cd /usr/local/etc/raddb/clients.conf Marco Christopher F. Wilson wrote: I have solaris 8 and am running 1.0.1 I am going to try and get mac address authentication going for my 60+ Ornioco/Avaya Access points. But I cant seen to find where to set the shared secret password for the server. I know mac address's can be easly faked and that there are other ways of doing this, but this is what my bosses want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Network
On 23 Sep 2004 at 10:38, [EMAIL PROTECTED] wrote: I'm trying to use freeradius to connect users to a private network or to Internet through an AP of a Wireless LAN. A user gets an account for private network connection or Internet connection. Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? Does it work if they have a general Internet connection, and then you try the private connection? Depending on the AP you're using, and the network topology, you may also be able to run the access point as a bridge. (Thus, it'll just be a fancy media converter, and wireless clients should be functionally identical to wired clients.) You can't do this with most cheap APs (Linksys, DLink, anything else you'll find at Best Buy), but slightly higher-end radio gear (StarOS, old Lucent/Karlnet gear, maybe Mikrotik) won't even blink at the request. The biggest downside to this is that it's another piece of hardware you have to buy (this could be done for around $300 US) and another piece of software you have to learn how to configure. David Smith MVN.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed with Digest
hi, if in the sample script given ,to test the radius server, I change the digest-method to REGISTER , the server doesnt authenticate but when digest-method is INVITE it does . It there some problem on my side , or will it only work with INVITE only ? And if possible can someone send me the script to test with REGISTER thanks This mail sent through www.mywaterloo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with Digest
Omer Adhia [EMAIL PROTECTED] wrote: if in the sample script given ,to test the radius server, I change the digest-method to REGISTER , the server doesnt authenticate The digest algorithm uses the digest method to calculate the digest response. If you change the digest method without changing anything else in the test script, then it won't work. This is also known as in order to use the protocol, you must actually use the protocol. And if possible can someone send me the script to test with REGISTER See the documentation describing the protocol for how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating IP phone through RADIUS
hi , a quick question. Is it possible to authenticate the ip phone through radius server. What I want to do is, not only to authenticate the users but to also authenticate my ip phone through radius. Is that possible to do so in radius ? If not , is there some way around this ? This mail sent through www.mywaterloo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Wireless Network
Hi all and thanks for the answers, I'll explain in a better way. I would like to have: a user A who can access to Internet with username A and password A (and that's ok, it works); a user B who can access to Private Network (no Internet) with username B and password B. Both connecting to the same AP. Both users have a pc with a wireless card. The AP (Colubris) is connected to Private Network through cabled LAN where the Radius works and the Private Network is connected to Internet. I tried in different ways and I read quiet all docs, but nobody seems to have this problem. Maybe there's no solution with one AP. Thanks On 23 Sep 2004 at 10:38, [EMAIL PROTECTED] wrote: I'm trying to use freeradius to connect users to a private network or to Internet through an AP of a Wireless LAN. A user gets an account for private network connection or Internet connection. Internet is ok, but I tried different ways to make him having a private network connection (and just that) and it doesn't work because there's an AP between the user and Radius cabled LAN. Any ideas? __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 30 settembre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi. Attivala subito! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Wireless Network
On 23 Sep 2004 at 23:52, [EMAIL PROTECTED] wrote: I'll explain in a better way. [ snip: scenario ] Have the RADIUS server give different IP addresses to users A and B. Have a firewall somewhere between the private network and the Internet that will deny Internet traffic to someone whose IP address is on the private-only list. David Smith MVN.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free-Radius install on Solaris
Hi Steven, First things to check: 1) Did the eap module/sub modules actually build? Check the installation lib directory for rlm_eap*. I found that using the Sun Workshop C compiler, several modules do not build as they rely on gcc features (in particular zero length arrays). 2) Run the server in debug mode to see where it is going wrong. radiusd -X -Original Message- From: Stephen Donovan [mailto:[EMAIL PROTECTED] Sent: Thursday, 23 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Free-Radius install on Solaris Good Day All I have looked for a solution to this, but I haven't been able to find anything that will solve my problem. I am attempting to install Free-Radius on a Solaris 8 box. I have tried 1.0.1 and 0.9.3, but both of the result in a core dump when I attempt to activate the EAP support. For 1.0.1, I also built this version on a linux box and the configuration files from Solaris work without a problem. On the 0.9.3 build I took the configuration files from a working setup and again a core dump. Currently I am building the latest CVS snapshot. Has anyone seen a problem like this in the past of have a possible solution? Thanks Stephen Donovan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay problem....
Hi... Info: FreeBSD 4.9 FreeRADIUS 1.0.1 OpenLDAP backend I'm using radrelay to duplicate accounting from a few servers to one master server as below: radius1- radius2 master_radius radius3 It's working OK... and master_radius has full records of all radius accounting including radutmp... But there is problem when I pump back from from master_radius to radiusX using radrelay --- radius1 master_radius --- radius2 --- radius3 From radutmp record (using radwho)... I cannot get full records as master_radius in radiusX Even the detail-combined in master_radius also not properly process.. it keep growing bigger... The detail-combined in radiusX is OK... Command used for radrelay.. /usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb \ -S /usr/local/etc/raddb/radrelay_secret -r master_radius:1646 \ detail-combined /usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb \ -S /usr/local/etc/raddb/radrelay_secret -r radiusX:1646 \ detail-combined and detail-combined config in radiusd.conf detail detail2 { detailfile = ${radacctdir}/detail-combined detailperm = 0644 locking = yes } Anyone can help?? --haizam